How to obtain a high quality vulnerability assessment

• Conduct protocol-specific checks (e.g., check for the ability to use vrfy or expn commands on an SMTP server)
• Check for default vendor passwords
• Conduct application specific checks (e.g., check for vulnerable CGI scripts on a Web server)
• Check for weak passwords and permissions (if appropriate per the rules of engagement)

Define the scope of the assessment

Once you've identified an assessor, sit down with him and define and document exactly what will be covered. Do you want to evaluate only certain servers on your network or do you want to review all of your information systems and security practices? A vulnerability assessment can include one or more of the following:

• Detection and identification of information system vulnerabilities, both from the Internet and from an organization's internal network
• Detection and identification of open ports and available services on specific information systems
• Detection and identification of specific application vulnerabilities
• Detection and identification of modems (for war dialing)
• Attempts to obtain unauthorized data or access from an organization's employees (social engineering attempts)
• Attempts to gain unauthorized physical access to an organization's information systems (physical penetration test)

In general, it's better to conduct the most comprehensive evaluation possible, but political and financial considerations may not always allow this. You should define and document an assessment that is reasonable and appropriate for your organization. The scope documentation provides a framework for the assessment and can be used as a baseline for future assessments.

Set rules of engagement

Next, define the rules that will govern the assessment. Typical questions that need to be answered include:

• Should discovered vulnerabilities be exploited or only recorded?
• What type of attack methods can be used (social engineering, denial of service, war dialing, etc.)?
• At what times can the assessment occur?
• Are there certain types of information systems that should be excluded from the assessment (e.g., those providing medical services)?

The rules should be appropriate and reasonable for your organization and should support the overall scope of the assessment.

Defined and documented rules of engagement are necessary to ensure that a vulnerability assessment does not disrupt your organization. A high quality assessor never exceeds the rules. Avoid assessors who are unwilling to establish rules of engagement.

Identify vulnerabilities that require immediate notification

All vulnerabilities are not equal. Some clearly pose more risk than others. A high quality assessor will interpret and prioritize discovered vulnerabilities so that your organization can focus on the important ones. Your assessor should also explain the risks of specific vulnerabilities so that their prioritization is understood.

On the other hand, the assessor should not wait to put serious vulnerabilities into a final report. For example, you should be notified immediately of a vulnerability in a database containing significant amounts of financial data that will likely and easily result in the misuse or abuse of the data from the Internet. Expeditious reporting will enable you to quickly mitigate these threats. You should work with the assessor to define and document the types of vulnerabilities that need to be reported quickly, as well as how and to whom the report will be made.

Vulnerability assessments are crucial for ensuring the security of your information systems and should be done on a regular basis. Follow these suggestions and you'll receive a high quality vulnerability assessment that reasonably and efficiently identifies vulnerabilities on your information systems and presents realistic and cost-effective measures to mitigate them.

About the author
Steven Weil, CISSP, CISA, CBCP is senior security consultant with Seitel Leeds & Associates, a full service consulting firm based in Seattle, Wash. Steven specializes in the areas of security policy development, HIPAA compliance, disaster recovery planning and security assessments. He can be reached at sweil@sla.com.

• The FDA's regulation for the use of electronic records and signatures
• Conducting an effective business impact analysis

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Risk Management Strategies,   Application and Platform Security,   Enterprise Vulnerability Management,   Vulnerability Risk Assessment,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Risk Management Strategies How to justify information security spending on cloud computing How to protect distributed information flows Black box and white box testing: Which is best? Breach prevention: How to keep track of data and applications Information security management hype: Debunking best practices Monitoring program data and internal controls for risk management Cloud computing security: Choosing a VPN type to connect to the cloud Cloud computing security: Routing and DNS security threats Cloud computing security model overview: Network infrastructure issues How to align an information security framework to your business model Vulnerability Risk Assessment What patch management metrics does Project Quant use? Screencast: How to launch an OpenVAS scan Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat Newest malware threats Are Web application penetration tests still important? PCI compliance requirement 6: Systems and applications Cybercrime and threat management Vulnerability Risk Assessment Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary gray hat  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.